I've read and understood this proposal and I'm happy it meets the required functionality.
It isn't exactly mirroring how NIS+ does password change; it uses a daemon on the NIS+ root master that is contacted over the network using the end users creds. However I think this is sufficient and the risk of having an LDAP "admin" cred stored on each host is acceptable. Particularly given that for those deployments where that is not acceptable the site can choose to use pam_ldap instead. I'd suggest one tiny naming change. Instead of the using adminDN/adminPassword I'd recommend a name much more specific so that it encourages sites to create an LDAP principal specifically for this use rather than using the directory manager (or other all powerful account), say something like: shadowUpdateDN/shadowUpdatePassword. -- Darren J Moffat
